Page 1 of 2
Capital One 360 Login Blocked
Posted: Fri Feb 19, 2016 5:48 pm
by billdfixer
Firefox 44.0.2
NoScript 2.9.0.4
Sometime within the past week, Capital One 360 updated their website and changed its login functionality (
https://secure.capitalone360.com/myacco ... g/login.vm).
After entering my username, clicking on the the "Continue" button does nothing.
In NoScript, "Temporarily allow all this page" does not help.
In NoScript, "Allow Scripts Globally" does not help.
I downgraded Firefox by two versions but that did not help.
I downgraded NoScript by one point release but that did not help.
Disabling NoScript completely is the only way that I have found to finally be able to login.
I do not know how to determine what Capital One did to their website to cause this problem with NoScript and I do not know what to do with NoScript to work around whatever Capital One did.
There has to be a way to keep NoScript active and be able to log into Capital One 360, as I was able to do before their website, Firefox, and NoScript were all upgraded.
Any suggestions?
Re: Capital One 360 Login Blocked
Posted: Fri Feb 19, 2016 6:28 pm
by billdfixer
Firefox 44.0.2
NoScript 2.7
Windows 8.1
Since I could not edit my post, I post this update as a reply.
Downgrading from NoScript 2.9.0.4 to NoScript 2.7 allows me to login to Capital One 360 without any problems and without changing any of my previous NoScript settings, just as I was able to do before.
Previous versions of NoScript can be found here:
https://addons.mozilla.org/en-US/firefo ... /versions/
Downgrading NoScript may not be the best solution but I do not know of any other solution or how to provided needed information to fix the conflict.
Re: Capital One 360 Login Blocked
Posted: Fri Feb 19, 2016 8:22 pm
by therube
Signin page, the Continue takes me to Password screen.
Password is accepted & reports, Invalid, which is fine because I have login for Cap1.
So from my end, FF 44.0.1 & NoScript 2.9.0.3 (I'm a bit dated on each it seems) looks like it should work correctly. (At least I'm getting expected responses.)
Re: Capital One 360 Login Blocked
Posted: Fri Feb 19, 2016 8:55 pm
by barbaz
billdfixer wrote:Downgrading from NoScript 2.9.0.4 to NoScript 2.7 allows me to login to Capital One 360 without any problems and without changing any of my previous NoScript settings, just as I was able to do before.
Previous versions of NoScript can be found here:
https://addons.mozilla.org/en-US/firefo ... /versions/
Downgrading NoScript may not be the best solution but I do not know of any other solution or how to provided needed information to fix the conflict.
Read
viewtopic.php?p=81248#p81248 before downgrading below NoScript 2.9.0.1rc2.
Re: Capital One 360 Login Blocked
Posted: Sat Feb 20, 2016 6:23 pm
by billdfixer
Based on @therube reply, I upgraded NoScript from 2.7 to 2.9.0.2 and can now login using Firefox 44.0.2. I tried using 2.9.0.3 but the login problem happened again. Obviously, something changed after 2.9.0.2 that causes this login problem on this banking website.
Re: Capital One 360 Login Blocked
Posted: Sun Feb 21, 2016 2:04 am
by barbaz
Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.
This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.
With NoScript
latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
Re: Capital One 360 Login Blocked
Posted: Sun Feb 21, 2016 4:42 pm
by billdfixer
barbaz wrote:Yes, downgrading to NS 2.9.0.2 while on Firefox 44.0 is reasonable to do.
This really doesn't sound like that one XSS issue that plagues an oddly massive number of financial sites. That issue didn't "regress" with NS 2.9.0.3.
With NoScript
latest development build, when this issue occurs, do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)
With NoScript 2.9.0.4, this is what appears as the login page loads:
Code: Select all
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: JSESSIONID=B726EDD01511A050ECE081FE5D0C832C; domain=secure.capitalone360.com; path=/myaccount/; HttpOnly; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: DeviceDetails="{Device_Info=WEB, Site_Pref=NORMAL}"; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: isso_mig=no; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_secure.capitalone360.com_80=1730193600.20480.0000; domain=secure.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: BIGipServerpl_WA_secure.capitalone360.com_80=2754062528.20480.0000; domain=secure.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTSID=632D79A0F782B1EF5D5E87FF5FF88974; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://secure.capitalone360.com: TLTUID=BB4DEB2E218745D1E397389D8377F18F; domain=.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=1107859466.20480.0000; domain=home.capitalone360.com; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://home.capitalone360.com: BIGipServerpl_home.capitalone360.com_80=3070793738.20480.0000; domain=home.capitalone360.com; path=/; Secure
This is what appears when I type the first character of a username:
Code: Select all
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
This is what appears when I click on the "Continue" button:
Code: Select all
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
Note: Nothing more is processed when the "Continue" button is clicked and there is no further Console output when the "Continue" button is clicked repeatedly.
With NoScript 2.9.0.2 (which DOES allow me to login), this is what appears when I click on the username field (nothing is typed):
Code: Select all
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
Note that this above message does not appear with NoScript 2.9.0.4 until after the "Continue" button is clicked.
Then, with NoScript 2.9.0.2, this is what appears when I type the first character of a username:
Code: Select all
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
Note that with NoScript 2.9.0.4, these above messages appear only when a character is typed into the username field and appear before the above noted "getPreventDefault()" message.
Hopefully there is something here that will lead to a better solution than downgrading.
Re: Capital One 360 Login Blocked
Posted: Sun Feb 21, 2016 5:24 pm
by barbaz
I find it really odd that Secure Cookies Management is pointed to as the culprit... and I assume that you clear cookies each time, otherwise those messages shouldn't happen (I think). Then again, the changelogs for 2.9.0.3 are incomplete...
Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let
latest development build work here?
Re: Capital One 360 Login Blocked
Posted: Mon Feb 22, 2016 3:07 am
by billdfixer
barbaz wrote:I find it really odd that Secure Cookies Management is pointed to as the culprit... and I assume that you clear cookies each time, otherwise those messages shouldn't happen (I think). Then again, the changelogs for 2.9.0.3 are incomplete...
Does clearing cookies and disabling Secure Cookies Management (NoScript Options > Advanced > HTTPS > Cookies) let
latest development build work here?
Yes, Firefox clears cookies on each close and I have been closing and restarting Firefox before each test so testing is clean.
Disabling Secure Cookies Management in NoScript 2.9.0.4 does not resolve the problem - i.e. I still cannot login (as with NoScript 2.9.0.2).
The Console output only shows this below (which is reversed of what appears when running NoScript 2.9.0.2 - which works):
This message appears when the username field is clicked on:
Code: Select all
Use of getPreventDefault() is deprecated. Use defaultPrevented instead. jquery-1.8.3.min.js:2:40351
These messages appear when I click the "Continue" button, after entering a username:
Code: Select all
Key event not available on some keyboard layouts: key="c" modifiers="accel,alt" browser.xul
Key event not available on some keyboard layouts: key="i" modifiers="accel,alt,shift" browser.xul
Key event not available on some keyboard layouts: key="m" modifiers="control,alt" browser.xul
The only variable that I have changed/tested is switching between NoScript 2.9.0.4 and 2.9.0.2 (which works), since trying NoScript 2.7 (which also works), with Firefox 44.0.2. @therube said FF 44.0.1 & NoScript 2.9.0.3 were giving expected responses.
Downgrading to NoScript 2.9.0.2 or completely disabling NoScript 2.9.0.4 are the only work-arounds that I have found so far.
Re: Capital One 360 Login Blocked
Posted: Mon Feb 22, 2016 3:33 am
by barbaz
Ok looks like it's 'whac-a-mole' time. As a test, please disable the following NoScript features, one at a time / only one at once, in this order, until the site works:
1) XSS: NoScript Options > Advanced > XSS, un-check everything
2) ABE: NoScript Options > Advanced > ABE > un-check "Enable ABE"
-> 2a) if that works, try re-enabling ABE and setting about:config > noscript.doNotTrack.enabled to false
3) ClearClick: NoScript Options > Advanced > ClearClick, un-check everything
4) Inclusion type checking: about:config > set noscript.inclusionTypeChecking to false
5) The other XSS filter: about:config > set noscript.xss.checkInclusions to false
6) surrogates: about:config > noscript.surrogate.enabled to false
Re: Capital One 360 Login Blocked
Posted: Tue Feb 23, 2016 10:16 pm
by billdfixer
barbaz wrote:Ok looks like it's 'whac-a-mole' time. As a test, please disable the following NoScript features, one at a time / only one at once, in this order, until the site works:
6) surrogates: about:config > noscript.surrogate.enabled to false
Here are my results of the 'whac-a-mole' tests:
Firefox 44.0.2
NoScript 2.9.0.4
Windows 8.1
I went down the list one-by-one, as instructed. I cleared cookies and cache before performing each test.
What finally worked was changing item 6 to 'false', as instructed.
After that worked, I reset all of the other options back to their original/default settings - I was still able to login to this banking site.
I must say, I do not know enough about NoScript to know if setting surrogates to 'false' will effect other websites or reduce web security in any way. I also do not know how to implement surrogates so this option can be reset to the default of 'true.'
As a side note, I had another computer with Firefox 40.0.2, which I upgraded to NoScript 2.9.0.4 and I also could not login to this banking website - had to downgrade NoScript to 2.9.0.2 to allow login.
I do not know what all of this may mean but I hope that it helps those who do so that I can reset surrogates to 'true' and still be able to login to this banking website.
Thank you for your guidance with this, @barbaz.
Re: Capital One 360 Login Blocked
Posted: Tue Feb 23, 2016 10:37 pm
by barbaz
Surrogates are designed to make pages work with fewer scripts Allowed, so you'll find browsing without surrogates you need to Allow more sites' scripts than otherwise.
Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement to
Code: Select all
(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq}})})()
Does that let it work?
Re: Capital One 360 Login Blocked
Posted: Wed Feb 24, 2016 1:19 am
by billdfixer
barbaz wrote:Surrogates are designed to make pages work with fewer scripts Allowed, so you'll find browsing without surrogates you need to Allow more sites' scripts than otherwise.
Please try re-enabling surrogates, then changing about:config > noscript.surrogate.ga.replacement to
Code: Select all
(function(){var _0=$S(function()_0),_u=function(){};_0.__noSuchMethod__=_0;('ga'in window)||(ga=_u);window.urchinTracker=window._u||_u;window._gaq=$S({__noSuchMethod__:_0,push:function(f){if(typeof f=='function')f();else if(f&&f.shift&&f[0]in this)this[f.shift()].apply(this,f)},_set:function(a,b){if(typeof b=='function')b()},_link:function(h){if(h)location.href=h},_linkByPost:function(f){if(f&&f.submit)f.submit();return true},_getLinkerUrl:function(u){return u},_trackEvent:_0});window._gat=$S({__noSuchMethod__:function(){return _gaq}})})()
Does that let it work?
Yes, that works - tested on both Windows 8.1 and Windows 7 both with Firefox 44.0.2 and NoScript 2.9.0.4.
If this is a fix, this thread can be marked as solved. If it is just a temporary work-around...?
Thanks, again, for your assistance, @barbaz
Re: Capital One 360 Login Blocked
Posted: Wed Feb 24, 2016 1:27 am
by barbaz
Fix is to include that in NS by default. I've informed Giorgio.
[RESOLVED] Capital One 360 Login Blocked
Posted: Thu Feb 25, 2016 2:47 pm
by billdfixer
barbaz wrote:Fix is to include that in NS by default. I've informed Giorgio.
